elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/html_bk/enable.smtps.html

109 lines
6.7 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Enable SMTPS service (SMTP over SSL, port 465)</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><div class="admonition note">
<p class="admonition-title">This tutorial is available in other languages. <a href="https://github.com/iredmail/docs">Help translate more</a></p>
<p><a href="./enable.smtps-it_IT.html">Italiano</a> /</p>
</div>
<h1 id="enable-smtps-service-smtp-over-ssl-port-465">Enable SMTPS service (SMTP over SSL, port 465)</h1>
<div class="toc">
<ul>
<li><a href="#enable-smtps-service-smtp-over-ssl-port-465">Enable SMTPS service (SMTP over SSL, port 465)</a><ul>
<li><a href="#why-iredmail-doesnt-enable-smtps-smtp-over-ssl-by-default">Why iRedMail doesn't enable SMTPS (SMTP over SSL) by default</a></li>
<li><a href="#why-enable-smtps-since-its-depreciated">Why enable SMTPS since it's depreciated</a></li>
<li><a href="#how-to-enable-smtps">How to enable SMTPS</a></li>
<li><a href="#open-port-465-in-firewall">Open port 465 in firewall</a><ul>
<li><a href="#on-rhelcentos">On RHEL/CentOS</a></li>
<li><a href="#on-debianubuntu">on Debian/Ubuntu</a></li>
<li><a href="#on-openbsd">on OpenBSD</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h3 id="why-iredmail-doesnt-enable-smtps-smtp-over-ssl-by-default">Why iRedMail doesn't enable SMTPS (SMTP over SSL) by default</h3>
<p>SMTPS is deprecated, so iRedMail disable it by default.
Quote from <a href="http://en.wikipedia.org/wiki/SMTPS">wikipedia.org</a></p>
<blockquote>
<p>Originally, in early 1997, the Internet Assigned Numbers Authority registered 465 for SMTPS. By the end of 1998, this was revoked when STARTTLS has been specified. With STARTTLS, the same port can be used with or without TLS. SMTP was seen as particularly important, because clients of this protocol are often other mail servers, which can not know whether a server they wish to communicate with will have a separate port for TLS. The port 465 is now registered for Source-Specific Multicast audio and video.</p>
</blockquote>
<h3 id="why-enable-smtps-since-its-depreciated">Why enable SMTPS since it's depreciated</h3>
<p>Unfortunately, there're some popular mail clients don't support submission (SMTP over STARTTLS, port 587), the famous one is Microsoft Outlook. Quote from wikipedia.org:</p>
<blockquote>
<p>Even in 2013, there are still services that continue to offer the deprecated SMTPS interface on port 465 in addition to (or instead of!) the RFC-compliant message submission interface on the port 587 defined by RFC 6409. Service providers that maintain port 465 do so because older Microsoft applications (including Entourage v10.0) do not support STARTTLS, and thus not the smtp-submission standard (ESMTPS on port 587). The only way for service providers to offer those clients an encrypted connection is to maintain port 465.</p>
</blockquote>
<h3 id="how-to-enable-smtps">How to enable SMTPS</h3>
<p>To enable SMTPS, you should configure Postfix to listen on port 465 first, then open port 465 in iptables.</p>
<p>Please append below lines in Postfix config file <code>/etc/postfix/master.cf</code> (Linux/OpenBSD) or <code>/usr/local/etc/postfix/master.cf</code> (FreeBSD):</p>
<pre><code>465 inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
</code></pre>
<p>Restart Postfix service to enable SMTPS.</p>
<p><strong>WARNING</strong>: Please make sure you have Amavisd listening on port 10026 (and 10024, 9998).</p>
<h3 id="open-port-465-in-firewall">Open port <code>465</code> in firewall</h3>
<h4 id="on-rhelcentos">On RHEL/CentOS</h4>
<ul>
<li>on RHEL/CentOS 6, please update iptables rule file <code>/etc/sysconfig/iptables</code>, add one rule (third line in below code) for port 465, then restart iptables service.</li>
</ul>
<pre><code># Part of file: /etc/sysconfig/iptables
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
</code></pre>
<ul>
<li>on RHEL/CentOS 7, please add file <code>/etc/firewalld/services/smtps.xml</code>, with content below</li>
</ul>
<pre><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
&lt;service&gt;
&lt;short&gt;Enable SMTPS&lt;/short&gt;
&lt;description&gt;Enable SMTPS.&lt;/description&gt;
&lt;port protocol=&quot;tcp&quot; port=&quot;465&quot;/&gt;
&lt;/service&gt;
</code></pre>
<p>Update file <code>/etc/firewalld/zones/iredmail.xml</code>, enable smtps service by
inserting line <code>&lt;service name="smtps"/&gt;</code> inside <code>&lt;zone&gt;&lt;/zone&gt;</code> block like
below:</p>
<pre><code>&lt;zone&gt;
...
&lt;service name=&quot;smtps&quot;/&gt;
&lt;/zone&gt;
</code></pre>
<p>Restart firewalld service:</p>
<pre><code># firewall-cmd --complete-reload
</code></pre>
<h4 id="on-debianubuntu">on Debian/Ubuntu</h4>
<p>On Debian/Ubuntu, if you use iptables rule file provided by iRedMail, please update <code>/etc/default/iptables</code>, add one rule (third line in below code) for port 465, then restart iptables service.</p>
<pre><code># Part of file: /etc/default/iptables
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
</code></pre>
<h4 id="on-openbsd">on OpenBSD</h4>
<p>On OpenBSD, please append service <code>smtps</code> in <code>/etc/pf.conf</code>, parameter <code>mail_services=</code>:</p>
<pre><code># Part of file: /etc/pf.conf
mail_services=&quot;{www, https, submission, imap, imaps, pop3, pop3s, ssh, smtps}&quot;
</code></pre>
<p>Reload PF rule file:</p>
<pre><code># pfctl -f /etc/pf.conf
</code></pre><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>
Reference in New Issue View Git Blame Copy Permalink